lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4BA75D1A.8010001@nagafix.co.uk>
Date:	Mon, 22 Mar 2010 19:05:46 +0700
From:	Antoine Martin <antoine@...afix.co.uk>
To:	Avi Kivity <avi@...hat.com>
CC:	Olivier Galibert <galibert@...ox.com>, Ingo Molnar <mingo@...e.hu>,
	Anthony Liguori <anthony@...emonkey.ws>,
	Pekka Enberg <penberg@...helsinki.fi>,
	"Zhang, Yanmin" <yanmin_zhang@...ux.intel.com>,
	Peter Zijlstra <a.p.zijlstra@...llo.nl>,
	Sheng Yang <sheng@...ux.intel.com>,
	linux-kernel@...r.kernel.org, kvm@...r.kernel.org,
	Marcelo Tosatti <mtosatti@...hat.com>,
	oerg Roedel <joro@...tes.org>,
	Jes Sorensen <Jes.Sorensen@...hat.com>,
	Gleb Natapov <gleb@...hat.com>,
	Zachary Amsden <zamsden@...hat.com>, ziteng.huang@...el.com,
	Arnaldo Carvalho de Melo <acme@...hat.com>,
	Fr?d?ric Weisbecker <fweisbec@...il.com>
Subject: Re: [RFC] Unify KVM kernel-space and user-space code into a single
 project

[snip]
>>>   I believe that -kernel use will be rare, though.  It's a lot 
>>> easier to keep everything in one filesystem.
>> Well, for what it's worth, I rarely ever use anything else. My 
>> virtual disks are raw so I can loop mount them easily, and I can also 
>> switch my guest kernels from outside... without ever needing to mount 
>> those disks.
>
> Curious, what do you use them for?
Various things, here is one use case which I think is under-used: 
read-only virtual disks with just one network application on them (no 
runlevels, sshd, user accounts, etc), a hell of a lot easier to maintain 
and secure than a full blown distro. Want a new kernel? boot a new VM 
and swap it for the old one with zero downtime (if your network app 
supports this sort of hot-swap - which a lot of cluster apps do)

Another reason for wanting to keep the kernel outside is to limit the 
potential points of failure: remove the partition table, remove the 
bootloader, remove even the ramdisk. Also makes it easier to switch to 
another solution (say UML) or another disk driver (as someone mentioned 
previously).
In virtualized environments I often prefer to remove the ability to load 
kernel modules too, for obvious reasons.

Hope this helps.

Antoine
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ